ZitMo Trojan Lurks in Android Security Suite Premium App

Kaspersky Lab researchers have discovered a variant of the Zeus Trojan being propagated as the Android Security Suite Premium application.

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and the malicious code continues to spread.

It can lay dormant for long periods until the user of the infected machine accesses targeted information, such as banking accounts. Zeus then harvests passwords and authentication codes.

The variant Kaspersky examined is known as ZitMo - short for "Zeus-in-the-mobile" - targets Android smartphone users and is capable of sniffing out system information and stealing SMS text message data.

"On the 4th of June 2012 we found 3 APK [Android application package] files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan," Kasperky's Denis writes.

"We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages."

Infected devices will display an ordinary looking application icon named "Android Security Suite Premium", and when executed it displays a multi-colored sheild logo with an activation number.

Kaspersky says the malware includes the ability to "receive commands for uninstalling themselves, stealing system information and enabling/disabling the malicious applications."

Examination of the Command and Control (C&C) domains revealed that the servers may be controlled by entities known for previous operations involving the use of the Zeus Trojan.

"So, there is new piece of Android malware which steals incoming SMS messages and uploads them to the remote server. One of the remote server domains was registered using the same fake data which was used for registering ZeuS C&Cs back in 2011. And the malware’s functionality is almost the same as in old ZitMo samples. Therefore ‘Android Security Suite Premium’ = New ZitMo," Denis concludes.

The source of the malicious application's distribution was not noted in the Kaspersky analysis, so Android users should continue to exercise caution when downloading applications that have not been approved by legitimate providers.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.